diff options
| author | jsing <> | 2020-02-16 16:39:01 +0000 |
|---|---|---|
| committer | jsing <> | 2020-02-16 16:39:01 +0000 |
| commit | 5c10d8250250eed0abef10eabb0e9ae0cf1fe8c8 (patch) | |
| tree | 9ce95afefe4c444bdd0e8c8928d9b58e9612999c /src/usr.bin/openssl/s_client.c | |
| parent | 5f232a5347aa50b02963840b94a44e39ca4a5d4d (diff) | |
| download | openbsd-5c10d8250250eed0abef10eabb0e9ae0cf1fe8c8.tar.gz openbsd-5c10d8250250eed0abef10eabb0e9ae0cf1fe8c8.tar.bz2 openbsd-5c10d8250250eed0abef10eabb0e9ae0cf1fe8c8.zip | |
Add -tls1_3 and -notls1_3 options to openssl(1) s_client.
Also stop using version pinned methods, instead setting the min and max
protocol versions.
Requested by inoguchi@
ok inoguchi@ tb@
Diffstat (limited to 'src/usr.bin/openssl/s_client.c')
| -rw-r--r-- | src/usr.bin/openssl/s_client.c | 46 |
1 files changed, 29 insertions, 17 deletions
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c index 1537ebcb26..443f00505e 100644 --- a/src/usr.bin/openssl/s_client.c +++ b/src/usr.bin/openssl/s_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_client.c,v 1.41 2020/01/23 03:35:54 beck Exp $ */ | 1 | /* $OpenBSD: s_client.c,v 1.42 2020/02/16 16:39:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -222,12 +222,13 @@ sc_usage(void) | |||
| 222 | BIO_printf(bio_err, " -quiet - no s_client output\n"); | 222 | BIO_printf(bio_err, " -quiet - no s_client output\n"); |
| 223 | BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); | 223 | BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); |
| 224 | BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); | 224 | BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); |
| 225 | BIO_printf(bio_err, " -tls1_3 - just use TLSv1.3\n"); | ||
| 225 | BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); | 226 | BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); |
| 226 | BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); | 227 | BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); |
| 227 | BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); | 228 | BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); |
| 228 | BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); | 229 | BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); |
| 229 | BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); | 230 | BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); |
| 230 | BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); | 231 | BIO_printf(bio_err, " -no_tls1_3/-no_tls1_2/-no_tls1_1/-no_tls1 - turn off that protocol\n"); |
| 231 | BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); | 232 | BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); |
| 232 | BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); | 233 | BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); |
| 233 | BIO_printf(bio_err, " command to see what is available\n"); | 234 | BIO_printf(bio_err, " command to see what is available\n"); |
| @@ -334,6 +335,7 @@ s_client_main(int argc, char **argv) | |||
| 334 | int peerlen = sizeof(peer); | 335 | int peerlen = sizeof(peer); |
| 335 | int enable_timeouts = 0; | 336 | int enable_timeouts = 0; |
| 336 | long socket_mtu = 0; | 337 | long socket_mtu = 0; |
| 338 | uint16_t min_version = 0, max_version = 0; | ||
| 337 | 339 | ||
| 338 | if (single_execution) { | 340 | if (single_execution) { |
| 339 | if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { | 341 | if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { |
| @@ -342,7 +344,7 @@ s_client_main(int argc, char **argv) | |||
| 342 | } | 344 | } |
| 343 | } | 345 | } |
| 344 | 346 | ||
| 345 | meth = SSLv23_client_method(); | 347 | meth = TLS_client_method(); |
| 346 | 348 | ||
| 347 | c_Pause = 0; | 349 | c_Pause = 0; |
| 348 | c_quiet = 0; | 350 | c_quiet = 0; |
| @@ -445,15 +447,21 @@ s_client_main(int argc, char **argv) | |||
| 445 | nbio_test = 1; | 447 | nbio_test = 1; |
| 446 | else if (strcmp(*argv, "-state") == 0) | 448 | else if (strcmp(*argv, "-state") == 0) |
| 447 | state = 1; | 449 | state = 1; |
| 448 | else if (strcmp(*argv, "-tls1_2") == 0) | 450 | else if (strcmp(*argv, "-tls1_3") == 0) { |
| 449 | meth = TLSv1_2_client_method(); | 451 | min_version = TLS1_3_VERSION; |
| 450 | else if (strcmp(*argv, "-tls1_1") == 0) | 452 | max_version = TLS1_3_VERSION; |
| 451 | meth = TLSv1_1_client_method(); | 453 | } else if (strcmp(*argv, "-tls1_2") == 0) { |
| 452 | else if (strcmp(*argv, "-tls1") == 0) | 454 | min_version = TLS1_2_VERSION; |
| 453 | meth = TLSv1_client_method(); | 455 | max_version = TLS1_2_VERSION; |
| 456 | } else if (strcmp(*argv, "-tls1_1") == 0) { | ||
| 457 | min_version = TLS1_1_VERSION; | ||
| 458 | max_version = TLS1_1_VERSION; | ||
| 459 | } else if (strcmp(*argv, "-tls1") == 0) { | ||
| 460 | min_version = TLS1_VERSION; | ||
| 461 | max_version = TLS1_VERSION; | ||
| 454 | #ifndef OPENSSL_NO_DTLS1 | 462 | #ifndef OPENSSL_NO_DTLS1 |
| 455 | else if (strcmp(*argv, "-dtls1") == 0) { | 463 | } else if (strcmp(*argv, "-dtls1") == 0) { |
| 456 | meth = DTLSv1_client_method(); | 464 | meth = DTLS_client_method(); |
| 457 | socket_type = SOCK_DGRAM; | 465 | socket_type = SOCK_DGRAM; |
| 458 | } else if (strcmp(*argv, "-timeout") == 0) | 466 | } else if (strcmp(*argv, "-timeout") == 0) |
| 459 | enable_timeouts = 1; | 467 | enable_timeouts = 1; |
| @@ -489,7 +497,9 @@ s_client_main(int argc, char **argv) | |||
| 489 | if (--argc < 1) | 497 | if (--argc < 1) |
| 490 | goto bad; | 498 | goto bad; |
| 491 | CAfile = *(++argv); | 499 | CAfile = *(++argv); |
| 492 | } else if (strcmp(*argv, "-no_tls1_2") == 0) | 500 | } else if (strcmp(*argv, "-no_tls1_3") == 0) |
| 501 | off |= SSL_OP_NO_TLSv1_3; | ||
| 502 | else if (strcmp(*argv, "-no_tls1_2") == 0) | ||
| 493 | off |= SSL_OP_NO_TLSv1_2; | 503 | off |= SSL_OP_NO_TLSv1_2; |
| 494 | else if (strcmp(*argv, "-no_tls1_1") == 0) | 504 | else if (strcmp(*argv, "-no_tls1_1") == 0) |
| 495 | off |= SSL_OP_NO_TLSv1_1; | 505 | off |= SSL_OP_NO_TLSv1_1; |
| @@ -550,17 +560,14 @@ s_client_main(int argc, char **argv) | |||
| 550 | starttls_proto = PROTO_XMPP; | 560 | starttls_proto = PROTO_XMPP; |
| 551 | else | 561 | else |
| 552 | goto bad; | 562 | goto bad; |
| 553 | } | 563 | } else if (strcmp(*argv, "-4") == 0) { |
| 554 | else if (strcmp(*argv, "-4") == 0) { | ||
| 555 | af = AF_INET; | 564 | af = AF_INET; |
| 556 | } else if (strcmp(*argv, "-6") == 0) { | 565 | } else if (strcmp(*argv, "-6") == 0) { |
| 557 | af = AF_INET6; | 566 | af = AF_INET6; |
| 558 | } | 567 | } else if (strcmp(*argv, "-servername") == 0) { |
| 559 | else if (strcmp(*argv, "-servername") == 0) { | ||
| 560 | if (--argc < 1) | 568 | if (--argc < 1) |
| 561 | goto bad; | 569 | goto bad; |
| 562 | servername = *(++argv); | 570 | servername = *(++argv); |
| 563 | /* meth=TLSv1_client_method(); */ | ||
| 564 | } | 571 | } |
| 565 | #ifndef OPENSSL_NO_SRTP | 572 | #ifndef OPENSSL_NO_SRTP |
| 566 | else if (strcmp(*argv, "-use_srtp") == 0) { | 573 | else if (strcmp(*argv, "-use_srtp") == 0) { |
| @@ -649,6 +656,11 @@ s_client_main(int argc, char **argv) | |||
| 649 | if (vpm) | 656 | if (vpm) |
| 650 | SSL_CTX_set1_param(ctx, vpm); | 657 | SSL_CTX_set1_param(ctx, vpm); |
| 651 | 658 | ||
| 659 | if (!SSL_CTX_set_min_proto_version(ctx, min_version)) | ||
| 660 | goto end; | ||
| 661 | if (!SSL_CTX_set_max_proto_version(ctx, max_version)) | ||
| 662 | goto end; | ||
| 663 | |||
| 652 | #ifndef OPENSSL_NO_SRTP | 664 | #ifndef OPENSSL_NO_SRTP |
| 653 | if (srtp_profiles != NULL) | 665 | if (srtp_profiles != NULL) |
| 654 | SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); | 666 | SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); |